DLL Function Parameters

NicoQwertyu · August 31, 2006, 10:54 AM

There's a "mystery" DLL that I'm interested in. No documentation or source has ever been released by the creator, and no one has released their own research on the dll to the public. Getting the function names (exports) is easy enough, but how can I find out: how many, type, and order of parameters to be passed to these functions?

All I have right now is an entry point, an ordinal, and a non-decorated function name.

UserLoser · August 31, 2006, 12:14 PM

Disassemble it and figure it out.

Win32 · September 01, 2006, 12:39 AM

As UserLoser says, disassemble the DLL and find the routine entry points and take a look at the function prelude.

-Matt

TheMinistered · September 01, 2006, 08:06 AM

Quote
take a look at the function prelude.

Since when did the C++ generated assembly to setup the stack and what not (seh error handling, etc) give you any idea of what the function does. It'll give you an idea of how many variables its using perhaps, lol.

If you want to know what a function DOES, you must examine it wholey. You must examine it step by step from start to finish. You must understand every instructions purpose/role. From entry point to ret.

If you don't know all about reverse-engineering there is one thing you can do. You can figure out the declarations and call them. See what happens, maybe it'll produce a predictable outcome/etc.

Win32 · September 01, 2006, 08:37 AM

All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.

-Matt

MyndFyre · September 01, 2006, 12:52 PM

Quote from: Win32 on September 01, 2006, 08:37 AM
All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.

-Matt

Right, that will tell him (possibly) what the number of parameters are, but it won't tell him the type of use of the parameters. For that you'd need to follow the execution path of the function. For example, if one of the parameters on the stack is used in GetPrivateProfileStringA, then you could probably infer that the parameter is a char* (unless it's passed in parameter 4 (0-based)), and you could also deduce the actual use of the parameter based on where it is in the GetPrivateProfileString call.

Plus, the function prelude doesn't tell you if there are any __fastcall parameters, or if the function was naked.

UserLoser · September 02, 2006, 01:34 AM

Out of curiousity, what DLL are you speaking of?

NicoQwertyu · September 02, 2006, 09:28 AM

Steam.dll. I wanted to leave it unnamed at first though, because this is something I want to learn to do.

Warrior · September 02, 2006, 10:14 AM

I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.

NicoQwertyu · September 03, 2006, 10:23 AM

Quote from: Warrior on September 02, 2006, 10:14 AM
I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.

This is why I didn't post which DLL I was interested in.

Warrior · September 03, 2006, 11:46 AM

No shame in that, I think it's fine to discuss the development but not the distribution. Of course you could of been looking into something related to logons and accessing all games or something.

NicoQwertyu · September 03, 2006, 12:38 PM

I'm not interested in game hacking. I just ment I didn't want to be pointed into the direction of "look at ____ source." I just want to learn how to take a DLL I have no knowledge of, and find how to use each of it's functions (or a select few).

I found a section of asm that calls (SteamGetCurrentEmailAddress) a function, which I thought would be simple and wouldn't accept many arguments, but it doesn't look that way. If anyone could help me understand this, I'd be grateful.

200899C0 55       push   ebp
200899C1 8BEC       mov   ebp,esp
200899C3 51       push   ecx
200899C4 894DFC       mov   [ebp-04h],ecx
200899C7 8B4514       mov   eax,[ebp+14h]
200899CA 50       push   eax
200899CB 8B4D10       mov   ecx,[ebp+10h]
200899CE 51       push   ecx
200899CF 8B550C       mov   edx,[ebp+0Ch]
200899D2 52       push   edx
200899D3 8B4508       mov   eax,[ebp+08h]
200899D6 50       push   eax
200899D7 E871C70E00    call   SteamGetCurrentEmailAddress
200899DC 83C410       add   esp,00000010h
200899DF 8BE5       mov   esp,ebp
200899E1 5D       pop   ebp
200899E2 C21000       retn   0010h

Does this mean it takes 4 arguments, all of which are 4 bytes?

Kp · September 03, 2006, 01:24 PM

Quote from: NicoQwertyu on September 03, 2006, 12:38 PM
Does this mean it takes 4 arguments, all of which are 4 bytes?

For the most part, yes. It's possible that some of those arguments are smaller than 4 bytes, but the compiler must promote them up to a multiple of 32bits to pass them easily.